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Abstract. In this paper we deal with verification of safety properties of 
term-rewriting systems. The verification problem is translated to a purely 
logical problem of finding a finite countermodel for a first-order formula, 
which further resolved by a generic finite model finding procedure. A 
finite countermodel produced during successful verification provides with 
a concise description of the system invariant sufficient to demonstrate a 
^^ ' specific safety property. 

We show the relative completeness of this approach with respect to the 
tree automata completion technique. On a set of examples taken from the 
literature we demonstrate the efficiency of finite model finding approach 
as well as its explanatory power. 



1 Introduction 



> 

CO ' The development of general automated methods for the verification of infinite- 

^^ I state and parameterized systems poses a major challenge. In general, such prob- 

[~^ ' lems are undecidable, so one can not hope for the ultimate solution and the 

^D I development should focus on the restricted classes of systems and properties. 

In this paper we deal with a very general method for verification of safety 
properties of infinite-state systems which is based on a simple idea. If an evolu- 
tion of a computational system is faithfully modelled by a derivation in a classical 
k><( I first-order logic then safety verification (non-reachability of unsafe states) can 

}_j ' be reduced to the disproving of a first-order formula. The latter task can be 

Cu I (partially, at least) tackled by generic automated procedures searching for finite 

countermodels. 

Such an approach to verification was originated in the research on formal 
verification of security protocols [29128115] and later has been extended to the 
wide classes of infinite-state and parameterised verification tasks. Completeness 
of the approach for particular classes of systems (lossy channel systems) and 
relative completeness with respect to general method of regular model checking 
has been established in [23] and [IS] respectively. 

Here we continue investigation of the boundaries of applicability of finite 
countermodels based method and are looking into verification of safety properties 
of term-rewriting systems (TRS). Term- rewriting systems provide with a gen- 
eral formalism for specification and verification of infinite-state systems. Several 



general automated methods for verification of safety properties of term-rewriting 
systems has been proposed and implemented |12I9I10| with the methods based 
on tree automata completion |1^I9| playing the major role. 

We show that verification via finite countermodels (FCM) approach provides 
with a viable alternative to the methods based on the tree automata completion. 
We show the relative completeness of FCM with respect to the tree automata 
completion methods (TAG). 

We illustrate it on a simple example taken from [TT]. Consider the TRS 
TZ = {/(x) — )• f{s{s{x)))} and assume that we want to prove that /(a) 7^* 
f{s{a)). In [TT] a simple finite-state abstraction of the set of reachable terms 
expressed by the equation E = {s{s{x) — x} is explicitly added to the TRS 
and simple analysis of rewriting modulo E is proposed. In FCM approach, the 
same problem is translated into disproving of the first-order formula ip-ji := 
{\/xR{f{x),f{s{s{x)))) — J> R{f{a),f{s{a)). The intended meaning of the binary 
predicate R here is to encode the reachability relation for the TRS. The finite 
countermodel of (p-jz, having the size 2 (cardinality of the domain) and essentially 
representing the above abstraction, i.e. satisfying s{s{x) — x, can be found by 
an automated model finder, e.g. Mace4 in a fraction of a second. 

On a series examples taken from the literature we demonstrate practical effi- 
ciency of FCM approach using off-the shelf and state of the art implementation of 
a finite model finding procedure Mace4 (W. McCune); illustrate the high degree 
of automation achievable as well as the explanatory power of the method. 

2 Preliminaries 

In this paper we use standard terminology for first-order predicate logic and 
term-rewriting systems, and the for detailed accounts of these areas the reader 
is referred to ^ and to [3] , respectively. We remind here only the concepts which 
we are going to use in the paper. 

2.1 First-order Logic 

The first-order vocabulary is defined as a finite set S — T UV where J- and V 
are the sets of functional and predicate symbols, respectively. Each symbol in 
E has an associated arity, and we have T = UiyoTi and P = Ui>iVi, where J-"j 
and Vi consist of symbols of arity i. The elements of J-q are also called constants. 

First-order model over vocabulary S, or just a model is a pair A4 — {D, [S]£i) 
where D is a set called domain of A^ and [Sd] denotes the interpretations of all 
symbols from 17 in Z). For a domain D and a function symbol / of arity n > 1 
an interpretation of / in Z? is a function [f]u : D" -^ D. For a constant c its 
interpretation [c]d is an element of D. For a domain D and a predicate symbol 
P of arity n an interpretation of P in Z? is a relation of arity n on D, that is 
[P]d C Z?". The model M = {D,[E]d) is called finite if Z? is a finite set. 

We assume that the reader is familiar with the standard definitions of first- 
order formula, first-order sentence, satisfaction 7W \= cp oi a, formula ip ina model 



A^, deducibility (derivability) <P \- (p oi a. formula (p from a set of formulae <P. 
We also use the existence of complete finite model finding procedures for the 
first-order predicate logic '4'26^, which given a first-order sentence f eventually 
produce a finite model for (p if such a model exists. 

2.2 Term-rewriting systems and tree automata 

To define a term-rewriting system we fix a finite set of functional symbols JF, 
each associated with an arity and a set of variables X. T{J^, X) and T denote the 
set of terms and ground terms, respectively, defined in the standard way using 
T and X. The set of variables of a term t is denoted by Var{t). A substitution 
is a function a : X -^ T{J-,X), which can be extended homomorphically in a 
unique way (and keeping the name) to a : T{J-, X) -^ T(T , X). Application of 
a substitution ct to a term t we denote by ta. 

A term-rewriting system 7^ is a set of rewrite rules / — > r where l,r G 
T{J-,X), I ^ X and Var{r) C Var{l). The notion of a subterm is defined in 
a standard way. One-step rewriting relation =>-r,C T{J-, X) x TiT ^ X) is defined 
as follows: ti =>k ^2 holds iff ^2 is obtained from ii by replacement of a sub- 
term la of ti with a subterm ra for some rewriting rule (/ — > r) in 7^ and some 
substitution a. The reflexive and transitive closure =>k is denoted by =>^. 

Definitions of tree automata we borrow largely from []. Let Q be a finite 
set of symbols called states which we formally treat as functional symbols of 
arity (constants). We assume Q D T = 0. Elements of T(^ U Q) are called 
configurations. 

Definition 1. (Transitions) A transition is a rewrite rule c — >■ q, where c is 
a configuration, i.e. c G T{J- U Q), and q £ Q. A normalized transition is a 
transition c ^ q where c = /(<Zi, . • ■ ,9n), f is a functional symbol of arity n 
from T , q,qi, . . .qn G Q- An e-transition c -^ q is such that c (z Q. 

Definition 2. (Tree automata) A (bottom-up, non- deterministic, finite) tree au- 
tomaton is a quadruple A — {F,Q,Qf,A), where Qf C Q is a set of final (ac- 
cepting) states and A is a set of normalized transitions and of e-transitions. 

Transitions Z\ of ^ induce the rewriting relation on 7~( J^U Q) which is denoted 
by ^A or ^A- 

Definition 3. (Recognized language) The tree language recognized by A in a 
state q is L{A,q) = {t Cz T{J') \ t =>^ g}. The language recognized by A is 
C{A)^\JqeQtC[A,q). 

Example 1. (Tree automaton and recognized language) Let T = {/, a,6} and 
A = {F,Q,Qf,A), where Q = {91,92}, Qf = {gi}, and A = {f{qi) -^ qi,a^ 
gi, & ^ 92, 92 — >■ 9i}- Then C{A, qi) — T{f, a, 6), that is the set of all terms build 
on {f,a,b}, and £(^,92) = {b}. 

Deterministic bottom-up tree automata have the same expressive power as 
non-deterministic bottom-up tree automata, that is they recognize the same 
classes of term languages. In what follows we assume that automata are deter- 
ministic, unless otherwise specified. 



3 Safety via finite countermodels 

3.1 Basic verification problem 

The main verification problem we consider in this paper is as follows. 

Problem 1. 

Given: Tree automata Ai and Au, a term- rewriting system TZ 
Question: Does Vii G C{Ai) Vta £ C{Au) h i>\ ±2 hold? 

In applications, we assume that the states of a computational system to be 
verified are represented by terms, the system evolution (computation) is rep- 
resented by 7^; tree automata Ai and Ajj provide with finitary specifications 
of the (infinite, in general) sets of allowed initial states and the sets of unsafe 
states, presented by C{Ai) and £.{Au), respectively. Under such assumptions, 
safety of the system is equivalent to the positive answer on the question of the 
Problem [H 

Modifications of the basic problem will be considered later. 

3.2 Translation of the basic verification problem 

In this subsection we show how to reduce the basic verification problem to 
the problem of disproving of a formula from classical first-order predicate logic. 
First, we define the translation <Pii of a term-rewriting system TZ over T{J-, X) 
into a set of first-order formulae in the vocabulary J^U {i?}, where _R is a new 
binary predicate symbol. Let ^-r, = f?^ U ^jr, where <?^ — {R{1, r) \ {I ^- r) G 
TZ} and ^^ is the set of the following formulae, which are all assumed to be 
universally closed and where xi, . . .Xi, . . . Xn,x^ are distinct variables: 

1. R{x, y) A R{y, z) — > R{x, z) transitivity sixioni 

2. R{xi,x^) ^ R{f{xi,. .. ,Xi,. . .a;„),/(xi,. . . ,Xj, . . . x„)) for every n-ary func- 
tional symbol / from J- and every position i: 1 < i < n 

congruence axioms 

Under such a translation first-order derivabiliy faithfully models rewriting in 
TZ as the following proposition shows. 

Proposition 1. For ground terms ti, t2 £ T{J-') if ti =>^ ^2 then <I>tz h 

R{tl,t2). 

Proof. Due to the transitivity of R specified in <P-ji it is sufficient to show that 
if ti ^u h then (pjz l~ -R(^i,i2)- Assume ii => t2 then t2 is obtained from 
ii by the replacement of some subterm la of ti with a subterm ra for some 
{I ^ r) £ TZ and some substitution a. Consider two sequences of subterms 
To = ^cr, Ti, . . . , Tfe = ti and po = ra, pi, . . . , pk — ^2 with the property that Tj 
is an immediate subterm of r^+i within ii and pi is an immediate subterm of 



Pi+1 "within ^2, i = 0, . . . , fc. Then we show by easy induction on i that ^-ji h 
R{Ti,pi) for i = 0,...,k. Indeed, for i = we have R{tq,po) = Rlla^ru) is a 
ground instance of R{l,r) S <?^ and therefore (^-n \- R{to,po). For the step of 
induction, assume <P-iz h R{Ti,pi). Notice that by construction of sequences of 
r's and p's tj+i and pj+i should have the same outermost functional symbol / 
and coincide everywhere apart of subterms r^ and pi. Let Tj+i = /(. . . ,Ti, . . .) 
and pi+i = f{...,pi,.. .). Then we have Rin, pi) -> i?(ri+ i,/9i+i) is a ground 
instance of one of the formulae in (p^. So we have <?k I" Ri^i, Pi) -^ RiTi+i, Pi+i) 
and by inductive assumption (p-ji h R[Ti,pi). It follows <?7j 1^ R{Ti+iT Pi+i)- The 
induction step is completed. We have <!>ti h R{Tk, Pk), which is 'Pti h R{ti,t2) 

Now we define a first-order translation of a tree automaton. 
Let A — {T,Qi,Qf,A) be a tree automaton, let U^ be the following first- 
order vocabulary: 

— constants for all elements of Q; 
~ all functional symbols from T\ 

— a binary predicate symbol R\ 

Let ^^ to be the set of first-order formulae in vocabulary Z"^ defined as 
^A = ^A U^jr, where ^a = {R{c, g) | (c -^ g) S A} and <I>jr is as defined above. 

As the following proposition shows first-order logic derivations from ^_4 faith- 
fully simulate the work of the automaton A 

Proposition 2. (Adequacy of automata translation) 
IfteC then $A ^ yq(^QjR{t,q) 

Proof. The statement of the proposition follows immediately from Definitions [2] 
and |3]and Proposition [1] 

Now we are ready to define the translation of the basic verification problem. 
Assume we are given an instance P — {Ai,TZ,Ajj) of Problem [TJ with a term- 
rewriting system TZ over 7"(J^, A") and tree automata Ai = {J-^Qi,Qfj,Ai)^ 
Au = {J^,Qu,Qfu^^u)- Assume also (without loss of generality) that sets J", 
Qi and Qu are disjoint. 

We define translation of P as (pp ~ (p^i ^'I'Au U^tj. By the above definitions 
we then also have 'Pp — (Pj^WP^i U^a^ U<?i^. We further define the translation of 
(negation of) correctness condition from P as a formula ^pp — BxBj/Vq^gQ^^q^gQj^ 
R{x, Qi) A R{x, y) A R{y, q„). 

The following proposition and corollary serves as a formal underpinning of 
the proposed verification method. 

Proposition 3. (Correctness of the translation) 

Let P he an instance of the basic verification problem as detailed above. Then 
if P has a negative answer then <Pp h t/'p 

Proof. The statement of the proposition immediately follows from Definitions [2] 
and |3]and Propositions [T] and [21 



By contraposition we have the fohowing 

Corollary 1. If 'Pp 1/ i'p the instance P has a positive answer and the safety 
property holds. 



3.3 FCM method 

By FCM (finite countermodels) verification method we understand the following. 
Given an instance P = {Ai^TZ,Au) of the basic verification problem, translate 
it into a set of first-order formulae <?p and a formula V'p ^s described above. 
Then apply a generic finite model finding procedure to find a countermodel for 
'Pp — >■ flip. If a countermodel found the safety property is established and the 
instance P has got a positive answer. 

3.4 Relative completeness 

In this section we show the relative completeness of FCM with respect to ver- 
ification methods based on tree automata completion techniques (TAC). More 
precisely, we show that if safety of TRS can be demonstrated by TAC, it can be 
demonstrated by FCM too. 

Given an instance P of basic verification problem (Problem [1} verification 
by TAC approach would proceed as follows. Starting from Ai and TZ completion 
procedure yields an automaton A* wich describes, in general, an overapproxi- 
mation of the set of terms reachable in TZ from C{Ai)), that is C{A*) ^ {t \ 
3io G C{Ai) to -^^ 0- Further, the check of whether C{A*) n C{Au) = is 
performed and, if it holds, the safety is established. 

Exact description by of the set of all reachable terms in a term-rewriting 
system by a tree automaton not always possible. The main direction in the 
development of TAC methods is a development of more efficient and more precise 
approximations methods. 

Theorem 1. Let P = {Ai,Au,TZ) be a basic verification problem and there 
exists a tree automaton A* = {J-,Q*,Q*f,A*) such that C(A*) 3 {t \ 3io G 
£{Ax) to — >^ t} and C{A*) D C{Au) = 0- Then there exists a finite model M. 
such that A4 \= <Pp A -iipp (i.e Ai is a countermodel for <Pp — )■ tj^p). 

Proof. Assume the conditions of the theorem hold. Define the domain D of the 
required model: D = Qj- x Q^ x Q^, where Qj- = Qi U {_L}. 

Define interpretations of contants [c] = {ai,a^,aij), where 
ttx = q a (c, q) G Ax, or Oa; = _L otherwise, x £ {I, *, U}. 

For a functional symbols / of arity n > 1 define its interpretation [/] : _D" ^• 
D as follows 

[/]((a),ai,a^),...,(a7,aj,a'j}}) = {ai,a^,au), where for ah x £ {I,*,U}, 
either (/(a^, a^, . . . a") -^ Ox) G Ax, or a^ = -L, otherwise. 

Once we defined the interpretations of all functional symbols (including con- 
stants) any ground term t gets its interpretation [t] G D in a standard way. Then 



it is an easy consequence of definitions that [t] is a triple of states of automata 
Ai, At:, Au, respectively, into which they get working on the input t. More for- 
mally, if [t] = (a7,a*,a[/), then for all x 6 {/,*,[/} either t =>J Ux € Qx, or 
there is no such q G Qx that t =^* q, and then t =>* Ux = -L. 
Define the interpretation [R] C_ D x D oi B as follows. 

[R] = {([^i], [^2]) I ti,t2 are ground in D,ti =»* ta} 

where ^ denotes =^7^ U ^Ai U ^Au 

Now we are going to show that in a such defined model A4 we have 'Pp A -^ipp 
satisfied. Recall (Pp = (PjrU <Pai U (Pau U ^k- 
We have 

— A4 [^ (pjr (by definition of rewriting and definition of [R\ ) 

- X ^ <?^^ U ^Au U <Pn (by definition of [R]) 

To show A4 1= -'V'p assume the opposite i.e A^ |= ijjp that is 
AI ^ 3x3y \/qieQi,q^eQu R{x,qi) A R{x,y) A R{y,qu)- That means there are 
a,b £ D such that (a, [g^]) G [-R], (a, 6) G [i?], {b,[qu]) G [i?]. Consider the 
ground terms ri and T2 such that [n] = a and [T2] — b. We have n G £(^/), 
Ti ^* T2, T2 G £(^(7)- It follows that T2 G C{A*) Ci C{Au) which contradicts to 
the assumption of the theorem on emptiness of C{A*) D C{Au)- 

Note 1. The above model construction serves only the purpose of proof and it 
is not efficient in practical use of the method. Instead we assume that the task 
of model construction is delegated to a generic finite model building procedure. 

3.5 Variations on a theme 

Theorem [I] provides with a lower bound for the verifying power of FCM method 
applied to a basic verification problem. In this section we consider practically 
important variations of the basic verification problem which allow simplified 
translations and more efficient verification. 



Finitely based sets of terms In many cases of safety verification tasks for 
TRS the sets of initial and/or unsafe terms are given not by tree automata, but 
rather described as the sets of ground instances of terms from a given finite set 
of terms. More precisely, let i? be a finite set of terms in a vocabulary F and 
g{B) = {t \ 3t G B A T — t9; 9 is ground }. It is easy to see that for the finite B 
g{B) is a regular set. 

Consider the following modification of the basic verification problem. 

Problem 2. 

Given: Finite sets of terms Bi and Bu, a term- rewriting system TZ 
Question: Does Vti G g{Bi) Vt2 G g{Bu) h ^^ ^2 hold? 



Let P = {Bj, TZ, Bjj) be an instance of the Problem [21 

The translation <?k of the term rewriting system TZ is defined in [ 

The translation of (negation of) correctness condition from P is defined as 

tjjp = 3X "^tt&g(Bi).M&g{Bu) R{tl,t2)- 

Now we have the following analogue of Proposition [3] 

Proposition 4. (Correctness of the translation) 

Let P be an instance of the basic verification problem as detailed above. Then 
if P has a negative answer then <l>fi \~ tJjp 

Rewriting strategies Another simplification of the translation may come from 
the restrictions on the rewriting strategies in TRSs. If rewriting can only be ap- 
plied at the outer level, i.e. redex can be only the whole term, not its proper 
subterm, then the first-order translation of an TRS can be simplified by us- 
ing unary reachability predicate i?(— ) instead of binary R{—, —). The intended 
meaning of R(t) is "term t is reachable from some of the initial terms (using out- 
ermost strategy)". We omit the obvious details of translation (axiomatization of 
R) and rather refer to an Example [3] Notice, that congruence axioms are not 
needed in this case and it was observed empirically that their absence makes the 
countermodel search more efficient. 



4 Experiments 

In this section we present three examples of application of FCM method for 
safety verification and compare the results with the results of alternative methods 
reported in the literature. 

4.1 Parity of n'^ 

Example 2. 

The following verification task is taken from [12110) . 

Let P„2 = {Ai, TZ, Ajj) be an instance of basic verification task. Term rewrit- 
ing system TZ consists of the following rewriting rules 

— plus{0, x) ^ X 

— plus{s{x),y) — > s{plus{x,y)) 

— times(0, a;) -> 

— times{s{x),y) -^ plus{y,times{x,y)) 

— square{x) — >■ times{x,x) 

— ewen(O) — >■ true 

— even[s{Q)) — ^ false 

— even{s{x)) — > odd{x)) 

— odd(0) — >■ false 

— odd(s{0)) -^ true 

— odd{s{x)) -^ even{x) 



— even{square{x)) -^ odd{square{s{x))) 

— odd(square{x)) — )■ even{square{s{x))) 

The tree automaton Ai recognizes the set of initial terms. It has the set of 
states Qi — {s0,sl,s2}, the set of the final states Qij, = {sO} and the set of 
rewriting rules Z\/ = {even{sl) -> sO, square{s2) — > si, — > s2} It is easy to see 
that £-{Ai) = {even{square{0))} 

The tree automaton Ajj recognizes the set of unsafe terms. It has the set of 
states Qu = Quf = {qO} and the set of rewriting rules Ajj — {false —^ qO}. 

So the question of the verification problem P„2 is whether false is reachable 
from even{square{Q)) . 

First-order translation <I>p of P„ti consists of the following formulae: 



plus{0,x),x) 

plus{s{x), y),s{plus{x, y))) 

tiraes(Q, x), 0) 

times{s{x), y),plus(y, times{x, y))) 

square{x), times{x, x)) 

even{0),t) 

even{s{0)),f) 

even{s{x)), odd{x)) 

odd{0),f) 

odd{s{0)),t) 

odd{s{x)), even(x)) 

even{square{x)) , odd{square{s{x)))) 

odd{square{x)) , even(square{s{x)))) 

x,y) /\R{y,z) -^ R{x,z) 

X, y) — ?> R{even(x), even{y)) 

x,y) — >■ R{odd{x) , odd{y)) 

X, y) — )> R{plus{x, z),plus{y, z)) 

x,y) ^- R(j>lus{z,x),plus{z,y)) 

X, y) — >■ R{times{x, z), times(y, z)) 

x,y) — i> R{times(z,x),times(z,y)) 

x,y) — > R{square{x) , square{y)) 

0,s2) 

ewen(sl), sO) 

square{s2) , si) 

f,qO) 



The formula tpp : 3x3y(R(x, sO) A R{x, y) A R{y, gO) expresses the negation 
of correctness condition. 

The finite model finder Mace4 has found a finite countermodel for ^p -^ ipp 
(i.e a finite model for (^p A^ipp) in 0.03s (see further details in l4.4p . The domain 
D of the model is a two element set {0, 1}. Interpretations of constants: [/] = 
[qO] = [si] = [s2] = 0; [sO] = [t] = 1. Interpretations of functions: [even]{0) = 1, 
[even]{l) = 0; [odd]{0) = 0, [odd]{l) = 1; [s](0) = 1, [s](l) = 0; [squarejlo) = 0; 



[square]{l) — 1; [plus]{yi,y) — {x + y)mod2; [times]{x,y) — x xy. Interpretation 
of reachability relation: [R] — {(0, 0), (1, 1)}. 

Notice that verification is done here automatically. This can be contrasted 
with the verification of the same system by a tree completion algorithm imple- 
mented in Timbuk system [9] , where an user interaction was required to add an 
approximation equation s{s{x)) = x manually. In [lOi an automated verification 
of the same system was reported using Horn Clause approximation technique. 
The system was specified as a Horn Clause program and the verification followed 
by producing a model for the program which contained 53 elements. The above 
model produced by Mace4 within FCM approach provides with much more con- 
cise explanation of why the safety holds: interpretation of any ground term (0 
or 1) is an invariant for reachability in TRS, [even{square{0))] ~ 1 and [/] = 0. 

4.2 Readers-writers system verification 

In this subsection we consider the example of a readers-writers system verifica- 
tion taken from [5I11J . 

Example 3. 

In the TRS specifying the system the only outermost rewriting is possible, so 
for the translation we use monadic reachability predicate. Furthermore, both the 
set of initial terms and the set of unsafe terms are finitely based. The vocabulary 
consists the constant 0, unary functional symbol s (for successor) and binary 
functional symbol state. 

The rules are as follows 

— state{0,0) -^ state{0,s{0)) 

— state{x,0) — > state{s{x),0) 

— state{x,s{y)) — ;■ state{x,y) 

— state{s{x),y) — ;■ state{x,y) 

The set of initial terms is / = {state{0,0)}. 

The set of unsafe terms U is finitely based with the base 
B = {state{s{x),s{y)),state{x,s{s(y)))}. 

The first-order translation f? consists the conjunction of the following formu- 
lae 

— R{state{0,0)) 

— i?(staie(0,0)) -> R{state{0,s{0))) 

— R{stateix,0)) -^ R{state{s{x),0)) 

— R(state{x, s{y))) -^ R{state{x,y)) 

— R{state{s{x),y)) — > R{state{x,y)) 

The formula ip = 3x3yR{s{x), s{y)) V R{x, s{s{y))) expresses the negation of 
the correctness condition. 

The system can be then successfully verified by an FCM method. The search 
for the countermodel ioi <P —^ tp took 0.01s and the model found is as follows. 



The domain D of the model is a three element set {0, 1, 2}; [s](0) = 1, [s](l) 
= 2, [s](2) = 2; [i?] = {(0,0), (0,1), (1,0), (2,0)}. 

Notice that no additional information is needed for FCM method to au- 
tomatically verify the reader-writer system. That may be contrasted with the 
verification using tree automata completion approach (Timbuk 3.0 system), re- 
ported in [111 where an equational abstraction rule s{s{x)) — s(s(0)) should be 
manually added to the TRS for the successful verification. 

4.3 Reverse function 

In this section we consider a verification problem from |12) . The problem here is 
to show that list reverse function satisfies the following property: if in a list all 
symbols 'a' are before all symbols 'b' then after reversing there are no 'a' before 
'b'. 

Example 4- 

Vocabulary T consists of one 0-ary functional (constant) sumbol and three 
binary symbols app, cons, rev. 

The automaton recognizing is initial terms is defined as Ai = {J-, Qi, Qjj , -4/), 
where J- is as defined above; Qi — {qrev,qlab,qlb,qa,qb}; Qf^ — {qrev}; Aj 
contains 

— rev{qlah) — >■ qrev 

— cons{qa,qlab) — > qlab 

— 0-)-qlb 

— a ^ qa 

— ^ qlab 

— cons{qa,qlb) — J> qlab 

— cons{qb,qlb) — S> qlb 

— b ^ qb 

The automaton recognizing unsafe terms is defined as Ajj = {J-, Qjj, Qfu i ^u), 
where T is as above; Qjj — {qlabl, qlbl, gl, qa, qb}, Qf^ — {qlabl}; Ajj contains 

— cons{qa, qlabl) -^ qlabl 

— cons{qa,qlbl) -^ qlabl 

— cons{qa,ql) — S> ql 

— a —^ qa 

— O^ql 

— con s{qb, qlabl) -^ qlabl 

— cons{qb,ql) — S> qlbl 

— cons{qb,ql) — S> ql 

— b ^ qb 

The term-rewriting system TZ consists of the following rules 

— app{0, x) — > X 



— app{cons{x, y), z) — ?> cons{x, appljj, z)) 

— rev{Q) -^ 

— rev{cons{x,y)) — ^ app{rev{y)^cons{x,0)) 

First-order translation <Pp consists of the following formulae. 

— R{rev{qlab),qrev) 

— R(cons{qa,qlab),qlab) 

— RiO^qlb) 

— R{a, qa) 

— R{0,qlab) 

— R{cons{qa,qlb),qlab) 

— R{cons{qb,qlb),qlb) 

— R{b,qb) 

— R(cons{qa,qlabl),qlabl) 

— R(cons{qa,qlbl),qlabl) 

— R(cons{qa,ql),ql) 

— -R(0,gl) 

— R{cons{qb,qlabl),qlabl) 

— R{corLs{qb,ql),qlbl) 

— R{cons{qb,q\),ql) 

— R{b,qb) 

— R{app{0, x), x) 

— R{app{cons{x, y), z), cons(x, app{y, z))) 

— i?(rez;(0),0) 

— R{rev{cons{x, y)), app{rev{y), cons{x, 0))) 

— {R{x,y)ARiy,z))-^R{x,z) 

— R(x,x) 

— R{x,y) — >■ R{rev{x),rev{y)) 

— R{x,y) — >■ R{cons{z,x),cons{z,y)) 

— R{x,y) -^ R{cons{x,z),cons{y,z)) 

— R{x,y) -^ R{app{z,x),app{z,y)) 

— R{x,y) -> R{app{x,z),app{y,z)) 

The formula ipp : 3x3y{{R{rev{x), qrev) A R{y,qlabl)) A R{rev{x),y) ex- 
presses the negation of the correctness condition. 

For this standard encoding Mace4 has failed to find a countermodel for <Pp — > 
tpp within 40000s. However after removing the congruence axiom R(x, y) — s- 
R{rev{x),rev{y)) Mace4 has found the model of size 3 (cardinality of the do- 
main) in 0.06s. (see further details in [21]. The absence of such a congruence ax- 
iom means that no rewriting of proper subterms of rev{. . .) is allowed. One can 
either easily argue that in TRS given above no such rewriting possible anyway, 
or, remaining in a pure automated verification scenario, just accept verification 
modulo restrictions on the rewriting strategy. This can be contrasted with the 
verification of the same system in [12] using tree automata completion technique, 
which required interactive approximation. 



4.4 Experimental results 

In the experiments we used the finite model finder Mace4[26] within the package 
Prover9-Mace4, Version 0.5, December 2007. It is not the latest available version, 
but it provides with convenient GUI for both the theorem prover and the finite 
model finder. The system configuration used in the experiments: Microsoft Win- 
dows XP Professional, Version 2002, Intel(R) Core(TM)2 Duo CPU, T7100 @ 
l.SGhz 1.79Ghz, 1.00 GB of RAM. The time measurements are done by Mace4 
itself, upon completion of the model search it communicates the CPU time used. 
The table below lists the parameterised/infinite state protocols together with the 
references and shows the time it took Mace4 to find a countermodel and verify 
a safety property. The time shown is an average of 10 attempts, oo means not 
return in 40000s. 



Problem 


Reference 


Time 


Parity of n'^ 


m 


0.3s 


Readers- Writers 


m 


0.01s 


Reverse 


12 


oo 


Reverse (no congruence 


for rev) II 


Example m 0.06s 



5 Related work 



5.1 Discussion and Related work 

The verification of safety properties for term-rewriting systems using tree au- 
tomata completion techniques has been addressed in |12I9I11) . The paper [TU] 
presents a method based on encoding both term-rewriting system and tree au- 
tomata into Horn logic and application of the static analysis techniques to com- 
pute a tree automaton accepting an approximation of the set of reachable terms. 
The main conceptual difference between these approaches and FCM presented 
in this paper, is that in [12|9|11|10] the safety verification is performed in two 
stages: first, a tree automaton approximating all reachable terms is obtained and 
it depends only on TRS but not on the safety property, and, second, an inter- 
section of the language of this automaton with the language of unsafe states is 
computed. FCM method we presented here operates in one stage and computing 
regular approximations (in terms of finite countermodels) is done for concrete 
safety properties. It has its disadvantage that the results of the verification of 
a TRS can not be re-used for the verification of different safety properties for 
the same TRS. On the other hand this disadvantage is compensated by a higher 
degree of automation and higher explanatory power of FCM methods as our ex- 
perimental results suggest. Another advantage of FCM is its flexibility. Rewriting 
modulo theory can be easily incorporated into a general FCM framework and 
previous work on FCM illustrates this point. In [53] dealing with the verification 
of lossy automata and cache coherence protocols, rewriting modulo first-order 
specifications of automata and modulo simple arithmetics, was used. In [25] the 



translation of regular model checking into FCM framework, the associativity of 
a monoid multiplication was explicitly specified. 

As mentioned Section 1 the approach to verification using the modeling of 
protocol executions by first-order derivations and together with countermodel 
finding for disproving was introduced within the research on the formal analysis 
of cryptographic protocols. It can be traced back to the early papers by Wei- 
denbach |29j and by Selinger [35]. In [33] a decidable fragment of Horn clause 
logic has been identified for which resolution-based decision procedure has been 
proposed (disproving by the procedure amounts to the termination of saturation 
without producing a proof). It was also shown that the fragment is expressive 
enough to encode cryptographic protocols and the approach has been illustrated 
by the automated verification of some protocols using the SPASS theorem prover. 
In [28] , apparently for the first time, explicit building of finite countermodels has 
been proposed as a tool to establish correctness of cryptographic protocols. It 
has been illustrated by an example, where a countermodel was produced manu- 
ally, and the automation of the process has not been discussed. The later work 
by Goubault-Larrecq [15^ has shown how a countermodel produced during the 
verification of cryptographic protocols can be converted into a formal induction 
proof. Also, in [15_, different approaches to model building have been discussed 
and it was argued that an implicit model building procedure using alternating 
tree automata is more efficient in the situations when no small countermodels 
exist. Very recently, in the paper J19j by J. Jurgens and T. Weber, an exten- 
sion of Horn clause logic was proposed and the soundness of a countermodel 
finding procedure for this fragment has been shown, again in the context of 
cryptographic protocol verification. 

The work we reported in this paper differs from all the approaches mentioned 
previously in two important aspects. Firstly, to the best of our knowledge, none 
of the previous work addressed verification via countermodel finding applied 
outside of the area of cryptographic protocols (that includes the most recent 
work [17] we are aware of). Secondly, the (relative) completeness for the classes 
of verification tasks has not been addressed in previous work. 
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